Product Reference¶

This reference summarizes the product surfaces tenants, application developers, organization administrators, agent builders, and users interact with.

First-party surfaces¶

Surface	Audience	Purpose
Auth	End users and applications	Hosted login, consent, MFA, OAuth redirects
Identity portal	End users	Profile, authenticators, sessions, connected apps
Dashboard	Tenant administrators	Applications, users, organizations, agents, policies, billing
API	Application developers and operators	Tenant administration, OAuth, webhooks, organizations, agents
Docs	Tenants and users	Product and integration guidance

Method	Notes
Email and password	Broad compatibility
Passkeys and WebAuthn	Phishing-resistant sign-in
Magic links	Email-based low-friction login
Email OTP	Verification and recovery flows
Phone OTP	Phone-based verification where enabled
Social OAuth	Consumer and developer login
Enterprise OIDC SSO	Organization-managed login
SIWE wallet authentication	Wallet-first user journeys
Anonymous accounts	Guest or trial access when enabled by the tenant

Capability	Endpoint or mechanism
Authorization Code with PKCE	`/oauth/authorize`, `/oauth/token`
Client Credentials	`/oauth/token`
Refresh Token	`/oauth/token`
Token Exchange	`/oauth/token`
Device Authorization	`/oauth/device/code`, `/oauth/token`, `/oauth/device/verify`
Pushed Authorization Requests	`/oauth/par`, then `/oauth/authorize?request_uri=...`
Rich Authorization Requests	`authorization_details` on authorization requests and token responses
CIBA Backchannel Authentication	`/bc-authorize`, then `/oauth/token`
ACR Values	`acr_values` on authorization requests for step-up enforcement
OIDC Claims Parameter	`claims` on authorization requests
Revocation	`/oauth/revoke`
Introspection	`/oauth/introspect`
OIDC Discovery	`/.well-known/openid-configuration`
JWKS	`/.well-known/jwks.json`
UserInfo	`/userinfo`
RP-Initiated Logout	`/oauth/end-session`
Dynamic Client Registration	`/oauth/register`, when enabled

Area	Typical tasks
Applications	Configure OAuth clients, redirect URIs, origins, scopes
Users	Invite, pre-provision, suspend, reactivate, remove
Organizations	Create workspaces, manage members, switch active organization
SSO	Configure enterprise OIDC providers and domain routing
Roles and scopes	Define authorization bundles and API permissions
Policies	Apply conditional access rules
Agents	Register agents, anchors, keys, and delegations
Vault	Manage third-party credential grants
Wallets	Configure managed wallet signing controls
Webhooks	Subscribe to events and inspect delivery status
Billing	Manage checkout, portal, credits, and plan limits
Audit logs	Review security and administrative activity

For concrete event type strings and subscription guidance, see Webhooks And Events.

Category	Examples
Authentication	Login, logout, token issue, token revocation
MFA and risk	MFA challenge, MFA verification, adaptive MFA
Tenant users	Invitation, activation, suspension, removal
Administration	User, agent, delegation, key changes
Vault	Credential and grant lifecycle
Wallet	Signing, rejection, budget exceedance
Chain	Ownership, reputation, metadata changes
SSO	Configuration, login success/failure, provisioning
Organizations	Domains, members, role changes, ownership transfer
Commerce	Payment, refund, settlement
Security	Brute force, refresh token reuse, suspicious activity

The public source repository is sig-id/sigid-core.